There’s good news and bad news when it comes to cybersecurity and ASCs. The good news is healthcare organizations saw fewer records compromised by cyberattacks in 2016. In 2016, “only” 12 million records were compromised, down from nearly 100 million compromised records in 2015.
The bad news is two-fold. First, cybercriminals compromised millions of records. And second, they focused on smaller targets, which likely includes ambulatory surgery centers.
Cybersecurity must be a high priority for ASCs. In fact, ASCs should treat cybersecurity with the same care and attention as they extend to their patients. Cybercriminals are looking to exploit even the smallest mistake or shortcoming. You cannot afford to give them such an opportunity.
Consider this scenario
An ASC performs a top-level information technology (IT) assessment. It finds frequent communications and discussions are occurring with the surgery center’s IT vendor. A monthly activity log indicates the servers are routinely checked for viruses, unusual activities in event logs, and overall IT performance. Basic server maintenance is ongoing. When the IT vendor installed a new server, they implemented appropriate security measures (e.g., anti-virus and anti-spyware protection, firewall, backup system).
Sounds pretty good, right? The basics seem to be in place. Unfortunately, pretty good does not mean great, nor does it indicate perfection. And when there are imperfections, there are open doors for possible cybercriminal intrusion.
Potential risks and concerns
Here are some potential risks and concerns a top-level assessment like the one above may overlook.
1. Anti-virus software installed on some computers and servers. If even a single computer connected to the network or server is missed, this creates a vulnerability.
2. Like most software, antivirus and antispyware programs must undergo regular updates. When a security software update is missed, the wall of protection is weakened.
3. Servers must also undergo updates. Updates often address security gaps identified by the server’s operating system developer (e.g., Microsoft). Once again, if an update is missed, security could be compromised.
4. The use of a backup system is critical. It can allow you to restore data in the event of data loss due to viruses, accidents, or disasters. However, that’s only the case if the backup system is configured properly to backup data correctly, efficiently, and with the right amount of data retention. Simply “having” a backup system does not mean proper backups occur.
5. An ASC should use a firewall to protect against possible outside threats and intrusions. Think of a firewall as filling the role of disease prevention while antivirus software is more for infection control. A firewall will maximize its effectiveness when configured properly. But as with disease prevention, problems may develop if the ASC neglects anything.
Although installing a firewall is an important security step, additional steps must follow. A firewall without content filtering that prevents users from visiting any website could open your surgery center to security problems. It also reduces staff productivity. Firewalls can filter out identified, malicious, virus-infected websites, but only with the proper configuration.
Some firewalls can provide an “intrusion prevention system.” This functionality is designed to detect and block attempts to exploit network vulnerabilities for taking control of a computer or network. Enable and configure this functionality to better protect the network.
6. Conversations with an IT vendor are nice, but what happens if you need hands-on expertise on short notice? This is where the use of a remote monitoring and management system comes into play.
When installed, the system permits the IT vendor to keep an eye on what is happening with an ASC’s network. The vendor can monitor the server, network, and workstation health. When an issue is identified, the vendor may be able to address it before cybercriminals exploit the problem.
If your IT looks fine on the surface, such a system may seem unnecessary . . . until it becomes very necessary. By then, it may be too late to use the system effectively.
When it comes to cybersecurity, you cannot afford to be reactive. There is a good chance a cybercriminal will be faster at reacting than you.
Work with your IT vendor to ensure your ASC is doing everything possible to identify and address potential risks and concerns. Put processes in place to help maintain the highest level of cybersecurity and keep cybercriminals at bay.
Diane Lampron – Director of Operations